Organizations face a tremendous amount of security pressure, from regulators looking at compliance requirements, customers concerned about third-party access to user information, and suppliers worried about third-party risk. A dedicated security leader, such as a CISO, CSO, or a senior-level role such as a director of security, manages the organization's overall security risk.
For small organizations without a budget and others who aren't ready for a CISO, there is a way to tap into a CISO's security expertise: the virtual CSO. This is the person who comes to the organization and acts as a CISO or CSO, implementing security programs, answering c-suite and board-level questions, and working with individual departments to improve security across the board.
“It’s hard to find that leadership, and even if you find it, it’s hard to retain,” said Wim Remes, CEO and founder of consulting company Wire Security. “Having a virtual CSO shows the company is dedicated to working on security.”
Smaller organizations may not have the budget for a full-time security executive, but still need security leadership. One of the fallacies about security is that you need to be at a certain size or have a certain amount of market presence, before you need to worry about security.
Some organizations are more worried about auditors and compliance issues than they worry about hackers. Regulations, such as GDPR, PCI, and HIPAA, pose a real threat to the business. There are actual penalties for being out of compliance. This kind of an organization would want someone who knows how to manage compliance and can help with that piece of the security program, but not so much with other aspects. Using compliance as a driver isn’t a terrible thing, since organizations can adopt good security practices which also maps to the compliance framework.
A startup may need security advice because they see an existential threat. The CEO, CTO, or even the CFO, may note that they need to be proactive about taking “very obvious hacks off the table” so that they won’t be blindsided by an attack. This may be about putting anti-phishing in place, hardening the email server, or fixing web application vulnerabilities. Just last year, there were many MongoDB and other NoSQL databases getting compromised in cloud environments because they were deployed without basic authentication controls. There may be light vulnerability assessments. The goal is to do things quickly so that the startup can address the issues before an attack cripples operations and forces them to shut down entirely. These companies have formal third-party risk management programs or go down the path of getting specific certifications because they don’t want to be the easy target.
"The executives say, ‘I want to be off the obvious dumb target list,’ so these are things we typically focus on,” Gal Shpantzer, an independent security consultant who acts as security advisor to CISOs, said.
Pressure may also come from investors. The latest round of financing from venture capital firms may come with specific security conditions, such as sharing a copy of the latest penetration test with the investors, requiring all developers to attend the training session on the secure software development lifecycle, or rolling out user awareness training and anti-phishing exercises.
“Sometimes VCs are attaching various security riders to the investment,” said Shpantzer. “'Here are the things you’ll have to prove to us in order to keep getting money, and be in compliance with our risk program because we want to protect our investment in you.’”
For companies, the ability to acquire customers quickly, efficiently, and cost effectively is incredibly important. If having a CSO lowers the cost of sale, because getting a particular certification or adopting a formal third-party risk management program makes it easier to get clients, then that is a competitive advantage. They don’t want to lose potential customers just because they are missing a certification or because they can’t prove they can handle the risks of working with different suppliers and contractors.
“You are proactively saying to every customer and every prospect, ‘Here’s how we address security,’” Shpantzer said.
Or the organization has a CSO, but the security team is missing a specific skillset or experience. The virtual CSO would complement the existing structure and act as a sounding board for the CSO. Security is a very wide field and most people are experts in a handful of domains. There aren’t many people in information security who have specific experience creating, managing, and advancing security programs. Throw in geographic and language barriers, and specific industry sector requirements, and the list of available professionals gets even shorter.
Perhaps the CISO has just left and the organization hasn’t found the right replacement. The company may have a formal security program, documentation, audits, the works. “But nobody is here to keep the lights on and make sure that we are keeping up with the threat,” Shpantzer said. “That’s when they call me or my other peers in the virtual CSO community.”
Finally, the organization may have just experienced a breach, some kind of an incident, and need someone who can handle incident response as well as all the legal, management, and public relations issues.
“It’s a very small community. There’s just only so many of us around. We’re kind of over-employed,” Shpantzer said.
That’s not to say the virtual CSO is coming in just to execute an existing plan. In some cases, the virtual CSO has a compressed timeline, far shorter than the 90 days traditional CSOs get to learn the organization’s culture, existing processes, and business requirements, to define and implement a security plan. The virtual CSO needs people at all levels of the organization to be brutally honest and communicate clearly, and it is easy to miss something that a CISO who has had the 90 days to learn the cultural nuances would know.
Most of Remes's clients are software-as-a-service companies or suppliers to bigger organizations. When his clients get security requests from their customers, such as filling out compliance questionnaires, Remes completes them. He also spends time on calls with clients and their customers to provide information about what security steps are being taken.
Remes spends about 60 percent to 70 percent of his time executing the security plan with individual teams and 30 percent to 40 percent dealing with executives. “Somewhere there’s 10 percent to 15 percent spent with third-party customers and suppliers,” Remes said.
What a virtual CSO does
The virtual CSO is more than just a technical role, as he or she needs to be able to talk across the entire organization and navigate the political layers. Working with the CEO, human resources, and legal involves understanding business processes. The relationship with the CTO, vice-president of engineering, and DevOps teams would revolve around server administration and maintenance, managing the cloud environment, and implementing the software development life cycle. The CSO has to be able to describe how the technical tasks benefit the organization. Helping developers deliver some code or IT to complete a technical milestone is great technically, but the explanation to the CFO may emphasize different points than the one to the general counsel. The next VC touchpoint, where the investors are assessing whether their security conditions have been met, may emphasize entirely something else.
“This is a really strange profession, especially as a consultant,” Shpantzer said.
A CSO (traditional and virtual) must be able to build relationships, and be an advisor for everyone. Remes calls it being the “people’s champion.” If someone has a technical project, they should talk to the CSO. Developers and architects working on new applications should run their ideas past the CSO. There may be projects that are languishing because the teams have not been able to communicate their ideas to senior management. As the virtual CSO, Remes fits the idea into a framework, such as ISO-2700 or the NIST Cybersecurity Framework, and pushes it “upstairs” to get senior management’s approval.
“Those are often the projects that have the system administrators frustrated because they weren’t able to translate it into that language, but I can come and translate that for them,” Remes said.
Most C-level executives care about two metrics: time and money. A CSO who can make something cheaper or make something take less time, is more likely to get their attention. Remes described how a client he was working with was concerned about how much it was spending on Amazon Web Services. After studying all the systems deployed within AWS, Remes was able to provide an estimate of what was being spent monthly, along with several cost-saving recommendations. Remes then was able to divert some of those savings into initiatives where developers adopted new security features.
“If you are going to talk about how you need firewalls, configurations, and infrastructure, and cannot prove it’s going to cost less money or that it will improve performance, you’re not going to win,” Remes said.
“Having a virtual CSO shows the company is dedicated to working on security.”
Shpantzer has a similar story, describing how he works with clients to secure Office 365. He uses the Secure Score function in Office 365, a numeric score quantifying the security of the organization’s Office 365 environment. Shpantzer shows that just by turning on two-factor authentication for administrator accounts on Office 365, this score goes higher. It is a quick task, and the threat from anybody with stolen passwords attempt to do credential stuffing is completely removed. It costs the company nothing because he used existing functionality on a service it was already using.
"They [executives] love hearing that...we should make sure we're leveraging the existing tech and process that we can,” Shpantzer said.
Defining the engagement scope
If the organization is very immature, security-wise, and doesn’t already have a security program or structure, then the engagement focuses on strategy. In contrast, if the organization already has an existing program that is ISO-certified, and has specific milestones already planned, then it is clear what kind of strategic goals need to be met in the next year. That kind of engagement will be partly strategic and partly deliverable-based.
Organizations like to keep details of their security programs to themselves, so it was surprising that potentially having competitors as clients was not a problem. Some virtual CSOs offer retainers where the client organization has a certain amount of hours or days in a month. Some organizations may prefer just charging a flat per-project fee or a per-hour rate.
“I do the standard NDAs, and then we work on the basis of trust,” Remes said. Since the scope of the engagement tends to be strategic and less about specific deliverables, Remes doesn’t have to worry about giving clients a set number of hours per month. Once he knows the complexity of the projects and what he needs to deliver, he manages his own time and delivers what the client needs.
Remes works with the IT teams performing code reviews and migrating applications and data centers from on-premises to AWS. What he doesn’t do is “business-as-usual work,” such as creating users, setting access control policies for Windows users, creating group policies, and managing firewalls.
There are different types of tasks and responsibilities, and it is up to the virtual CSO to make sure the expectations are clearly set. Take writing reports. Everybody in security has to write reports, but a board-facing presentation requires a different level of effort than a report given to the CTO wile talking about tech. Shpantzer was delivering a draft report to a client who wanted the order changed in how information was being presented. At first, the changes were no big deal. “After two or three or four of five rounds of this, ‘Hey buddy, you’re basically abusing my time here.’ This is a fixed-price engagement,” Shpantzer said.
Flexibility and communication is critical, especially in order to understand priorities. Make sure everyone understands what the deliverables look like, how long it will take, and what kind of resources are available.
“There’s just only so many of us around. We’re kind of over-employed.”
Taking on the CSO role doesn’t automatically mean the virtual CSO is going to be fighting fires. That remains with the existing security team and the IT team. But if there is an active incident, the organization might expect the virtual CSO to step up until the problem is solved, and deal with the fix so that it doesn't happen again. If that is not part of the engagement, it needs to be clearly communicated.
“The most important thing is to engage with a customer, understand what they need, talk to business people, talk to technical people there, and do some of your own due diligence with them,” Shpantzer said. “If this isn’t a good fit, recommend someone else.”
Shpantzer puts in a clause in the contract specifying his responsibilities when it’s not an active incident, and what he is willing to do if there is an incident. "I am not obligated to be that person for you but I will assist you in helping with that,” he said.There is some grey area, and it depends on the level of additional work he has to do. Last May, when news about Intel AMT broke, where Intel admitted its firmware had a web server that could be accessed directly over the web, Shpantzer told the client what the problem was and assigned someone to scan all assets for any open ports. These two tasks helped the client get its arms around the scope of the problem. The situation would have been far more different if the web application had been hijacked, or the database wiped.
“The fire marshal does different things than the firefighter who is actually spraying water and climbing stairs into a burning building. The marshal is checking the fire escapes and smoke detectors before the fire comes,” Shpantzer said. “It’s a different job.”
Challenges of being virtual
Just because the role is virtual doesn’t mean the security bad news takes a break. There are new vulnerabilities and reports of data breaches. How the virtual CSO handles the pressure is important. Being removed from the rest of the organization means there isn’t always the time to develop rapport and good business connections internally to help manage the stress.
“We’re all going a little bit crazy...security burnout is very real,” Shpantzer said. “It is hard to know if you’ve done a good job. There’s a lot of uncertainty. It takes a certain person that has management skills, enough technical skills or ability to work with technical people to do this kind of work.”
“This is a really strange profession, especially as a consultant.”
Just as being virtual doesn’t reduce the volume of security issues to deal with, being virtual doesn’t protect the CSO from office politics. Shpantzer remembers being brought into a company where the CSO had left recently. He started doing the work, but encountered “massive political interference” from one person who wanted the CSO job. After some time, the executive team decided to let the person take the role, except he was underqualified for the work. A lot of people in the security department quit, and when things got really bad, Shpantzer was brought back. “The gig was given to me and then it was taken away from me. I was told to do this other thing while this guy tries it,” Shpantzer said. “It’s hard. At the end of the day, it’s about managing people. People are difficult, and they are political.”
"I failed to manage the political shenanigans that were going on right in front of me because I was trying to get the work done and ended up losing the battle,” Shpantzer said. “So did they, because he clearly wasn’t up for the job.”
Shpantzer said he has to remind himself that he doesn't know everything, and whatever he knows now will be stale in a few weeks. Being a good security person is knowing you are always going to be learning, and that you are part of an ecosystem. You are not alone. He suggets having a short list of subspecialty experts to help deal with specific problems that may come up with the client. Think of being a virtual CSO as a project manager or program manager, a communicator, and someone who also knowns the technical stuff.
“Don’t say ‘Oh, I have to be the best CSO for everybody,’ because that’s not how it works,” Shpanzter said.
Header image by Kevin on Unplash.